[sudo-users] Fwd: SUDO centralization based on Server!

Patrick Spinler spinler.patrick at mayo.edu
Tue Sep 6 14:33:17 EDT 2011


Someone else will have to chime in to confirm or deny my failing memory,
but I do know that when using LDAP in general, there are no guarantees
as to the order that elements are returned from a search; leading from
that, I seem to recall reading somewhere that the behavior of sudo deny
rules when pulled from LDAP might not be the same as when reading rules
from a file, again 'cause you can't specify or enforce a rule order.

Can anyone confirm or deny that vague memory of mine?

-- Pat

On 09/06/2011 07:16 AM, pradyumna dash wrote:
> Hi,
> 
> I have configured SUDO with OpenLDAP.  I have created a group called
> "sysadm" and assign the below commands which the users belong to this group
> can execute.  Now created a user called "bob" and assign him to this group.
>  When am logging in as bob, and run
> "sudo -l", its asking me for the password and after i put the correct
> password its showing me the "sudoCommand" list.  But it also executes the
> command "!/sbin/route" too which he should not able to execute, why its
> happening? did i do anything wrong.
> 
> dn: cn=%sysadm,ou=SUDOers,dc=example,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: %sysadm
> sudoUser: %sysadm
> sudoHost: ALL
> sudoOption: !authenticate
> structuralObjectClass: sudoRole
> entryUUID: d6819d80-5c39-1030-9d7c-19f66ff1c84f
> creatorsName: cn=Manager,dc=example,dc=com
> createTimestamp: 20110816095703Z
> sudoCommand: /sbin/shutdown
> sudoCommand: /sbin/halt
> sudoCommand: /sbin/reboot
> sudoCommand: /sbin/yast
> sudoCommand: /sbin/yast2
> sudoCommand: /sbin/date
> sudoCommand: /sbin/kill
> sudoCommand: /usr/bin/killall
> sudoCommand: /usr/bin/passwd
> sudoCommand: /bin/su
> sudoCommand: /bin/rpm
> sudoCommand: /sbin/ifconfig
> sudoCommand: /sbin/ifup
> sudoCommand: !/sbin/route
> entryCSN: 20110826090949.582253Z#000000#000#000000
> modifiersName: cn=manager,dc=example,dc=com
> modifyTimestamp: 20110826090949Z
> 
> Regards,
> Neo
> 
> On Mon, Jul 4, 2011 at 11:32 AM, pradyumna dash <neomatrixgem at gmail.com>wrote:
> 
>> Hi,
>>
>> I need a solution for the below SUDO configuration.
>>
>> I have centralized SUDO with OpenLDAP, but i have  a query like i have say
>> 2 servers server1 and server2 and a used called bob which is a OpenLDAP
>> user.
>> What i want is like when bob loggin in to server1 it has a different SUDO
>> command list and when he logs in to server2, he will get a different list of
>> commands
>> which is allowed to use.
>>
>> Can this issue resolved?Now am having 2 individual SUDO files in each
>> server, can i centralize this ?
>>
>> Regards,
>> Neo
>>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users




More information about the sudo-users mailing list